MOBILE APP AND SECURITY THREATS

Mobile applications no doubt, are one of the fastest growing application software in the 21^st century, owing to the sophistication of internet enabled mobile phones and tablets in the world today. To this end, institutions, enterprises and organizations are developing mobile apps in order to reach their target audience or sell their goods and services faster and easier.   Some mobile apps are developed without going through the appropriate procedures i.e applying security  measures during development of the mobile app; hence they are easily hijacked by criminals or vulnerable to all sorts of virus. There aren't any policies or standards policing mobile application development so security flaws are often overlooked when developers don't take the time to review their product. The rush to release approach as the leading source of mobile application threats and vulnerabilities. When an app's development is rushed, it's typically due to customer demand and developer impatience. Implementing security checks and controls for mobile apps can add an average of six weeks to the application development process, and it can take even longer depending on what is found.

Most users may often assume that the mobile apps they download are safe, more than 50% of developers surveyed in a new report admitted to using "shortcuts or temporary solutions" to produce their app faster. The survey showed that nearly 300 mobile app developers and more than 400 consumers illustrated a lack of focus on security during the development process. That lack of focus, along with development shortcuts and common coding errors are creating so many mobile application threats that expert believes, enterprises and users should simply behave as if their devices have already been hacked.

According to the survey, 79% of developers agreed that mobile apps have become a target for cybercrime because of security flaws, and 74% of developers believed that most enterprise mobile apps are "moderately vulnerable" to mobile application threats. Perhaps even more troubling: 96% of developers admitted to using third-party software frameworks that were potentially unsecure.

By rushing their products to the market, experts said, these apps are not secure or ready for public consumption. In addition to a lack of basic security controls and privacy policies, many mobile apps contain glaring mistakes that make them vulnerable to attacks. For example, Kostka, an expert in cyber security, and CEO of Bluebox Security, said two of the more common errors developers often make are exposing the API keys in their apps or leaving their developer menus behind in the code.

Kostka said BYOD security is an issue for all devices and operating systems, and enterprises shouldn't put faith in the OS to protect their data. "We're seeing so many more attacks on iOS devices because it's the most popular platform for enterprises," she said. "You can't just trust the OS. Apple has done a lot of good things with security, but it's not 100% secure. And people think an iOS device has to be jailbroken to be at risk, but that's not true."

All of this adds up to major problems for companies, especially those who have BYOD policies, Kostka said. Using employee-owned mobile devices in the workplace is generally encouraged; however, this means companies have to educate employees about mobile application threats and proper security hygiene. If employees are careless or have insecure mobile apps on their devices, their employer can potentially suffer a breach or theft of sensitive data. Since companies don't have complete control of employees using their own devices for work, company data is at risk.

Bluebox Security which will be available in December is addressing these issues with a new software product called Bluebox for Consumer Apps, which is designed to improve BYOD defenses. The mobile security startup already offers protection for enterprise iOS and Android apps, but Bluebox for Consumer Apps focuses on the non-enterprise applications that often reside on BYOD devices in the enterprise and transforms them into "self-defending apps." Any application available in the Apple App Store or Google Play Store can be uploaded to Bluebox for Consumer Apps, which then applies an application wrapper to the mobile app. The wrapper provides encryption for data at rest, enterprise security policies, anti-tampering measures, mobile threat intelligence and other capabilities. BlueBox said the application wrapping process is simple and requires just a single click, which won't add additional time to the application development cycle. "Time to market is crucial for mobile app developers," she said. "Your app could become irrelevant during that six weeks."

Kostka said most enterprises know that mobile app development falls short on security, but they're not taking enough action to properly protect those apps. "Companies have underinvested in mobile security in a rush to become mobile first, and now the bill is due," she said. "With mobile threats being discovered almost daily, and enterprises losing control over consumer devices, it's only a matter of time before a mobile hack is the root of the next major breach."

DMARC POLICY TO HAMPER FRAUDULENT EMAILS

Cyber fraudsters are devising various ways of launching attack on unsuspecting victims. This time they are forging email header and even mimicking one’s contact to look as if such a mail is coming from your contacts. They have already phish(disguising as an official mail) Yahoo mail, Google mail and other free email providers. This has been a source of worry to these free email service providers as many users lose access to their accounts including other intrinsic damages to the users.  

In cutting the excesses of these fraudsters, Google has announced recently that it is transitioning to the strictest setting of the anti-phishing and spam tool “DMARC” (Domain-based Message Authentication, Reporting, and Conformance), stating the transition to a DMARC policy of "reject" would occur in June 2016. DMARC's anti-phishing and anti-spam functions work by authenticating messages with their sources, so that email with parody headers would be rejected. DMARC policy settings range from "none", used as an initial gateway into the protocol, meaning that no actions are taken regarding delivery of the messages flagged, though they may be reported. Under the intermediate "quarantine" policy, the mail receiver reports messages that fail to authenticate as suspicious and place them in a spam folder or flags them for further examination. Google is transitioning to the strictest setting, "p=reject", which means the recipient rejects any messages that fail to authenticate. 

DMARC depends on two older tools for authenticating messages as having originated from the domain in the From: header of the message: the Domain Keys Identified Mail (DKIM), which makes it possible to cryptographically authenticate that a message originated from the From: address in the message header; and the Sender Policy Framework (SPF), which gives large mailbox providers a way for recipients to determine whether or not a host that has forwarded mail is authorized to do so.

Yahoo and AOL moved to the strictest DMARC policy setting in April 2014, and also recently Yahoo announced they would transition its Rocketmail and Ymail services to that policy starting this November 2015. When AOL followed Yahoo's move to the stricter policy last year, there were some glitches in the transition. Some legitimate senders, such as email distribution list services and websites that forward messages on behalf of their users, were having messages flagged and rejected, but the relatively simple fixes mostly involved making sure that messages were not sent with forged headers indicating inaccurate message sourcing.

This proposed policy Google is about to adopt will make it very difficult for spammers and hackers to mimic an organization or individual headers in their nefarious act. It also avail the recipient the opportunity to report suspicious mail for further action by Google. It was reported that some hackers who used email parody to forge emails and launch attacks in the pretence that such mail is coming from Yahoo account were almost apprehended.